Skip to main content

Immich EUVDEUVD-2026-18756

| CVE-2026-25118 MEDIUM
Use of GET Request Method With Sensitive Query Strings (CWE-598)
2026-04-03 GitHub_M
6.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.6.0
EUVD ID Assigned
Apr 03, 2026 - 16:00 euvd
EUVD-2026-18756
Analysis Generated
Apr 03, 2026 - 16:00 vuln.today
CVE Published
Apr 03, 2026 - 15:51 nvd
MEDIUM 6.3

DescriptionGitHub Advisory

immich is a high performance self-hosted photo and video management solution. Prior to version 2.6.0, the Immich application is vulnerable to credential disclosure when a user authenticates to a shared album. During the authentication process, the application transmits the album password within the URL query parameters in a GET request to /api/shared-links/me. This exposes the password in browser history, proxy and server logs, and referrer headers, allowing unintended disclosure of authentication credentials. The impact of this vulnerability is the potential compromise of shared album access and unauthorized exposure of sensitive user data. This issue has been patched in version 2.6.0.

AnalysisAI

Immich prior to version 2.6.0 discloses shared album passwords in cleartext within URL query parameters during authentication to /api/shared-links/me, exposing credentials to browser history, proxy logs, server logs, and HTTP referrer headers. An unauthenticated attacker with access to these logs or referrer data can obtain album passwords and compromise shared album access, affecting all installations using shared albums with password protection before the patch.

Technical ContextAI

Immich is a self-hosted photo and video management application that implements shared album functionality with optional password protection. The vulnerability stems from CWE-598 (Use of GET Request with Sensitive Query Strings), a common HTTP protocol misuse pattern. When users authenticate to a password-protected shared album, the application passes the album password as a query parameter in a GET request rather than via POST request body or HTTP headers. GET request parameters are logged by default in browser history, HTTP proxy logs, reverse proxy/load balancer logs, and transmitted in the Referer header to external sites, violating the principle of transmitting credentials only through secure channels. The affected CPE range is cpe:2.3:a:immich-app:immich:*:*:*:*:*:*:*:* prior to version 2.6.0.

RemediationAI

Upgrade Immich to version 2.6.0 or later, which remediates the vulnerability by transmitting album passwords via secure HTTP POST request body or authenticated headers rather than GET query parameters. Vendor-released patch: v2.6.0 (confirmed via https://github.com/immich-app/immich/releases/tag/v2.6.0). For installations unable to update immediately, implement compensating controls: (1) restrict access to server logs and reverse proxy logs to minimize credential exposure in log files, (2) enforce HTTPS throughout the stack to prevent referrer header leakage over unencrypted channels, (3) configure log retention policies to minimize the window of password exposure in archived logs, and (4) rotate shared album passwords in existing deployments as a precautionary measure. The upstream fix is documented in pull requests #26868 and #26886, which detail the migration from GET to POST request handling for authentication endpoints.

Share

EUVD-2026-18756 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy